In this age of cyber security awareness, it should not be a surprise to see the number of reported incidents to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) rose this year to 295 over last year’s amount of 245.
Just around 97 of the incidents reported in 2015 had an impact on the critical manufacturing sector, while 66 ended up reported in 2014.
Security: Ease the Pain …
… Experts See ‘More of the Same’
Unsupported ICS: Not an Easy Upgrade
Age of New and Different
German Steel Mill Attack: Inside Job
IT Getting an OT Education
The increase was the result of a spear-phishing campaign launched by an advanced persistent threat (APT) actor against organizations in critical manufacturing and other sectors, the report said. The attacker, believed to be the threat group known as APT3, exploited a zero-day vulnerability in Adobe Flash Player (CVE-2015-3113) in its operations.
In 2014, the same actor launched a reconnaissance operation in which it used social engineering tactics to trick the employees of the targeted organizations into handing over valuable information, ICS-CERT said.
The ICS-CERT results fall in line with reports from security researchers that said this year will be more of the same – much more.
But to security expert Eric Byres, as he adroitly points out, “more of the same” means much, much more.
“I think 2016 will bring us ‘more of the same’ with a big emphasis on ‘More.’ More publicly disclosed vulnerabilities, more published ICS exploits, more sophisticated attacks directed at control systems, more insecure IP devices connected to the control network, more interconnections from the outside world to the control system and of course, more hand wringing and gnashing of teeth about the sad state of the industry,” said security researcher Eric Byres in an ISSSource report.
Byres is not the only expert to feel that way.
“I believe that 2016 will continue the trend of attacks against automation and control infrastructure,” said Joel Langill, operational security professional and founder of SCADAhacker.com. “Events that have occurred over the past 3-5 years have shown the sophistication of these attacks is increasing, indicating the opponent is gaining more industry- and system-specific knowledge. My observations and analysis show more and more of these attacks will succeed due to the lack of a cyber security program based on operational security principles. The influx of organizations into the industrial sector that lack these OpSec principles has caused many organizations to focus too much of their attention and budgets to externally-originated threats leaving them extremely vulnerable to numerous inside vectors.”
“The continued dependence on standard information security concepts like patch management and anti-malware protections are no longer sufficient in industrial architectures,” Langill said. “Until there is greater emphasis on limiting network access control, focusing on endpoints like embedded controllers and field devices that typically represent the greatest operational risk, and having established incident response procedures, future attacks are likely to target more valuable assets that will likely result in significant operational impact to those organizations targeted.”
Targeted assets remain a key factor moving forward.
The energy sector, which in 2014 accounted for 32 percent of critical infrastructure incidents, reported 46 incidents in 2015, which represents 16 percent of the total. Incidents were also in sectors such as water (25), transportation systems (23), government facilities (18), healthcare (14) and communications (13), according to ICS-CERT.
ICS-CERT said it responded to incidents involving improperly configured infrastructure where ICS networks connected to corporate networks and even directly to the Internet.
While in more than one-third of cases investigators could not determine the infection vector used by the attackers, more than 100 incidents involved spear phishing.
The number of reports regarding network scans and probes by external parties decreased by more than 50 percent in 2015 compared to the previous year. However, ICS-CERT noted this trend could mean organizations are becoming better at handling such low-level issues on their own, and not necessarily a drop in the frequency of scanning and probing attempts.
ICS-CERT found in 69 percent of incidents there had been no evidence the attackers successfully breached the targeted organization, compared to 49 percent in 2014. The agency said the number of successful intrusions into control system environments increased from 9 percent in 2014 to 12 percent in 2015. In 12 percent of cases there was indication the attackers gained access to the target’s business network.